Add support for External Keystone Service

This patch adds a new `ExternalKeystoneAPI` property to KeystoneAPI to
enable the use of an existing Keystone Service that is external to the
OpenShift environment used to run this operator.

For example, a multi-region deployment where one region is running a
centralized Keystone service can use this to deploy additional regions
that can use the centralized Keystone service without the need to run
their own instance of Keystone.

Assisted-by: Cursor (Auto Model)

Author: dmendiza

api/bases/keystone.openstack.org_keystoneapis.yaml

@@ -98,6 +98,11 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              externalKeystoneAPI:
+                default: false
+                description: ExternalKeystoneAPI - Enable use of external Keystone
+                  API endpoints instead of deploying a local Keystone API
+                type: boolean
               extraMounts:
                 default: []
                 description: ExtraMounts containing conf files

api/v1beta1/conditions.go

@@ -111,4 +111,25 @@ const (
 
 	// KeystoneServiceOSUserReadyErrorMessage
 	KeystoneServiceOSUserReadyErrorMessage = "Keystone Service user error occured %s"
+
+	//
+	// External Keystone API condition messages
+	//
+	// ExternalKeystoneAPIDBMessage
+	ExternalKeystoneAPIDBMessage = "External Keystone API configured - database is not managed by this operator"
+
+	// ExternalKeystoneAPIDBAccountMessage
+	ExternalKeystoneAPIDBAccountMessage = "External Keystone API configured - database account is not managed by this operator"
+
+	// ExternalKeystoneAPIRabbitMQTransportURLMessage
+	ExternalKeystoneAPIRabbitMQTransportURLMessage = "External Keystone API configured - RabbitMQ is not managed by this operator"
+
+	// ExternalKeystoneAPIMemcachedReadyMessage
+	ExternalKeystoneAPIMemcachedReadyMessage = "External Keystone API configured - memcached is not managed by this operator"
+
+	// ExternalKeystoneAPIServiceConfigReadyMessage
+	ExternalKeystoneAPIServiceMessage = "External Keystone API configured - service is not managed by this operator"
+
+	// ExternalKeystoneAPINetworkAttachmentsReadyMessage
+	ExternalKeystoneAPINetworkAttachmentsReadyMessage = "External Keystone API configured - network attachments are not managed by this operator"
 )

api/v1beta1/keystoneapi.go

@@ -26,7 +26,6 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
@@ -122,6 +121,7 @@ func GetAdminServiceClient(
 	ctx context.Context,
 	h *helper.Helper,
 	keystoneAPI *KeystoneAPI,
+	endpointInterface ...endpoint.Endpoint,
 ) (*openstack.OpenStack, ctrl.Result, error) {
 	os, ctrlResult, err := GetScopedAdminServiceClient(
 		ctx,
@@ -130,6 +130,7 @@ func GetAdminServiceClient(
 		&gophercloud.AuthScope{
 			System: true,
 		},
+		endpointInterface...,
 	)
 	if err != nil {
 		return nil, ctrlResult, err
@@ -144,9 +145,15 @@ func GetScopedAdminServiceClient(
 	h *helper.Helper,
 	keystoneAPI *KeystoneAPI,
 	scope *gophercloud.AuthScope,
+	endpointInterface ...endpoint.Endpoint,
 ) (*openstack.OpenStack, ctrl.Result, error) {
-	// get public endpoint as authurl from keystone instance
-	authURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
+	// get endpoint as authurl from keystone instance
+	// default to internal endpoint if not specified
+	epInterface := endpoint.EndpointInternal
+	if len(endpointInterface) > 0 {
+		epInterface = endpoint.Endpoint(endpointInterface[0])
+	}
+	authURL, err := keystoneAPI.GetEndpoint(epInterface)
 	if err != nil {
 		return nil, ctrl.Result{}, err
 	}
@@ -163,7 +170,7 @@ func GetScopedAdminServiceClient(
 			h,
 			keystoneAPI.Spec.TLS.CaBundleSecretName,
 			10*time.Second,
-			tls.InternalCABundleKey)
+			interfaceBundleKeys[epInterface])
 		if err != nil {
 			return nil, ctrl.Result{}, err
 		}

api/v1beta1/keystoneapi_types.go

@@ -53,6 +53,14 @@ const (
 	APIDefaultTimeout = 60
 )
 
+var (
+	// interfaceBundleKeys maps endpoint winterfaces to their corresponding key in the CA bundle secret
+	interfaceBundleKeys = map[endpoint.Endpoint]string{
+		endpoint.EndpointInternal: tls.InternalCABundleKey,
+		endpoint.EndpointPublic:   tls.CABundleKey,
+	}
+)
+
 // KeystoneAPISpec defines the desired state of KeystoneAPI
 type KeystoneAPISpec struct {
 	KeystoneAPISpecCore `json:",inline"`
@@ -213,6 +221,11 @@ type KeystoneAPISpecCore struct {
 	// This is only needed when multiple realms are federated.
 	// Config files mount path is set to /var/lib/httpd/metadata/
 	FederatedRealmConfig string `json:"federatedRealmConfig"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	// ExternalKeystoneAPI - Enable use of external Keystone API endpoints instead of deploying a local Keystone API
+	ExternalKeystoneAPI bool `json:"externalKeystoneAPI"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.

config/crd/bases/keystone.openstack.org_keystoneapis.yaml

@@ -98,6 +98,11 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              externalKeystoneAPI:
+                default: false
+                description: ExternalKeystoneAPI - Enable use of external Keystone
+                  API endpoints instead of deploying a local Keystone API
+                type: boolean
               extraMounts:
                 default: []
                 description: ExtraMounts containing conf files